Tinder security flaw enabled access to accounts with just user's phone number

on Friday, February 23, 2018|

Researchers at cybersecurity firm AppSecure has revealed a critical vulnerability that allows hackers to take down users Tinder account by just entering their phone number.

The security flaw termed as 'account takeover vulnerability' let attackers access the entire chat history without the need for a password.

The exploit took advantage of two separate vulnerabilities: one in Tinder and another in Facebook’s Account Kit system. The Account Kit system is a platform which is used by users for quickly registering and login to an app using a phone number and email address, a vulnerability in this system exposed users’ access tokens, which could be easily accessed through a simple API request with an associated phone number.

'The user clicks on Login with Phone Number on tinder.com and then they are redirected to Accountkit.com for login,' wrote Appsecure's Anand Prakash, who discovered the flaw.

'If the authentication is successful then Account Kit passes the access token to Tinder for login.

'This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users.'

According to the expert, both the vulnerabilities were fixed by Tinder and Facebook quickly.

Facebook and Tinder rewarded him $5000 and $1250, respectively.

Spokesperson of Tinder has issued the company's official statement: "Security is a top priority at Tinder."

" Like other major global technology companies, we employ a network of tools and systems to protect the integrity of our platform. As part of our ongoing efforts in this arena, we employ a Bug Bounty Program and work with skilled security researchers across the globe to responsibly identify potential issues and quickly resolve them."

"At Tinder, we are constantly improving our protocols to not only meet, but exceed industry best practices. However, we do not discuss any specific security measures or strategies, so as not to tip off malicious hackers."